On Thu, Jan 02, 2014 at 02:00:39PM +0100, Arno Töll wrote: > Hi, > > even more so a discussion on debian-devel [1] came to the conclusion > that /var/www as a document root is security-wise a bad default for web > servers. > > Therefore, we, Apache maintainers, decided to change the default > document root to /var/www/html (#730372). This might be seen as a policy > violation as of §11.5, but we do not violate the FHS as this directory > does not exist there.
Hello Arno, Are the other HTTP engines going to also change the default document root to /var/www/html ? > I'm not sure about the state of the FHS when this bug was filed, but to > date /srv exists per FHS as a place to put organization-local files, > e.g. document roots which is a replacement to /var/www _to users_. We, > as a maintainer cannot use /srv straight though to avoid information > leaks. Moreover, we must neither assume any organization-local directory > structure below /srv. > Please clarify this ambiguity in the policy. But practically what are you sugesting ? Add a FHS exception for /var/www/html and change the document root in policy ? Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
